SANS ISC InfoSec Forums

More and more online services (not only websites) have switched to "SSL" for a while and, if it increases the end-user security, sometimes it's a pain for security peeps who have too perform investigations or control (yes, it may happen also). During the last edition of BruCON, I collected certificates over the wire. It's easy to do via a tool like Bro which has this feature built-in. To enable it, just change your local.bro configuration file:

The new interesting log is called certs-remote.pem and will quickly be populated. The problem is that all certificates are stored in one big file. We can split them in <number>.pem files using the following awk command:

The command above extracted 2139 unique URLs (FDQN or wildcards) visited by BruCON attendees. Keeping an eye on SSL certificates can be interesting to track suspicious activity and also to keep an eye on which websites were visited by your users in a passive way. They also contain a lot of interesting information that could be useful during future investigations. Have also a look to the Passive SSL project supported by CIRCL.lu (the Luxembourg CERT).

This certainly could be a useful addition to existing logging. The existing logging should be recording the cert signature to support the addition of a cert database.

Keep in mind deriving URLs visited from certificates is less accurate due to flawed usage (mostly in HTTPS), but finding flawed usage becomes possible. Users conditioned to flawed usage in HTTPS are likely to be duped into accepting certificate anomaly in malicious circumstances.

This would also support searches for such anomalies and investigating possible malicious intent behind the anomaly. Or as I have seen some really poor usage such a bank outsourcing their online account access resulting in redirection to the provider, but at least the provider is using an EV cert. When notified, said bank brushed off the possibility their customers are being conditioned for a malicious actor dupe them into revealing their account credentials.